The Agency confirms that Facebook treats data, even specially protected, for advertising purposes without obtaining consent and does not completely cancel the information of the users when it is no longer useful for the purpose for which it was collected or when they request it.

The Spanish Agency for Data Protection (AEPD) has issued  resolution  in the proceedings to the company Facebook to analyze whether the data processing carried out by the social network are adapted to the rules of data protection. The Agency declares the existence of  two serious infringements and one very serious of the Organic Law on Data Protection (LOPD)  and imposes on Facebook a penalty of 1,200,000 euros -300,000 for each of the first and 600,000 for the second.

In the framework of the research, the AEPD has verified that Facebook  collects data on ideology, sex, religious beliefs, personal tastes or navigation without clearly informing  about the use and purpose that it will give them. Specifically, it has verified that the social network treats specially protected data for publicity purposes, among others, without obtaining the express consent of the users as required by data protection regulations, a violation classified as very serious in the LOPD.

The investigation has also allowed us to verify that Facebook does not inform users in an exhaustive and clear way about the data that will collect and the treatments that will be carried out with them, but is limited to give some examples. In particular, the social network collects other data derived from the interaction carried out by users on the platform and on third-party sites  without them being able to clearly perceive the information that Facebook collects about them or for what purpose they will use it .

The AEPD has also confirmed that users are not informed that their information will be processed through the use of cookies – some specifically used advertising and some of the use declared secret by the company –  when browsing non-Facebook pages and containing the ‘Like’ button. This situation also occurs when users are not members of the social network but have ever visited one of its pages, as well as when users who are registered on Facebook browse through third party pages, even without logging into Facebook. In these cases, the platform adds the information collected in said pages to the one associated with your account in the social network. Therefore, the AEPD considers that the information provided by Facebook to users does not comply with data protection regulations.

The Agency has also noted that Facebook’s privacy policy contains generic and unclear expressions, and requires access to many different links to meet. The social network inaccurately refers to the use it will make of the data it collects, so that  a Facebook user with an average knowledge of the new technologies does not become aware of data collection or storage and subsequent treatment, nor of what they will be used. For their part,  unregistered Internet users are unaware that the social network collects their browsing data .

Consequently, the Agency considers that Facebook does not adequately collect the consent of either its users or those who are not – and whose data it also treats, which constitutes a serious infringement.

Finally, the Agency has been able to verify that  Facebook does not eliminate the information that it collects from the habits of navigation of the users , but retains and reuses it later associated with the same user. Regarding data retention, when a social network user has deleted his account and requests the deletion of the information,  Facebook captures and treats information for more than 17 months  through a deleted account cookie. Therefore, the EDPSconsiders that the personal data of the users are not canceled in their entirety or when they are no longer useful for the purpose for which they were collected nor when the user explicitly requests their removal, according to the requirements of the LOPD, which represents a serious offense.

Contact group

Given the changes introduced by Facebook in its terms and conditions of use in January 2015, several Data Protection Authorities of the European Union, including the AEPD , formed a Contact Group * through which to coordinate their actions . These authorities  have developed their respective investigation procedures in  accordance with the provisions of their national legal systems.

* The Contact Group is composed of the Data Protection Authorities of Belgium, Spain, France, Hamburg (Germany) and the Netherlands.